My ssh-agent works well and I haven't any problem with it : I'm using
keychain (persistent ssh-agent across connections; from debian
packages), filling the .ssh/environment file to get env setted correctly
for that.

Anyway, the trick doesn't work correctly since the terminal mode is raw
: I can succeed in logging the way I want but can't do any vi or any tab
command completion...

Concerning the security level you've evaluated, I do agree with the fact
that one's could read bastion's memory to get access to targets' keys.
But :
1 - I made those targets keys usable only from the bastion. If the keys
where on the local box, this kind of filtering couldn't be done as far
as my users should be able to connect from everywhere - modulus ip
spoofing of course.

2 - With all my targets keys on the bastion, I can administrate them in
a central way - which can't be done in the
distributed-to-the-local-boxes way. In particular, it's far more easy to
give a temporary access to anyone to any target in the bastion's holding
way.

3 - Saying the keys can be read from the bastion's memory isn't worse
than distributing them across local boxes which are secureless than the
bastion - since they are some local boxes shared by multiple people...
Furthermore, the keys can regularly be changed to clean those kind of
weakness.

> On 23 September 2010 17:08, Nicolas Ferragu <nicolas.ferragu (at) laposte (dot) fr [email concealed]> wrote:
>> Putty conf :
>> connection type : raw
>> local proxy command : plink.exe -t %user@%proxyhost -agent "ssh
>> -p %port -l role %host"\n
>
> I assume "ssh -p %port -l role %host" here is a command executed on
> the bastion to connect to the target. Currently it does not work as
> the target asks for the key known only for the bastion.
>
> You mentioned that "ssh-agent running well with the target.". If that
> means that bastion has ssh-agent running with a key for the target
> then in the above command you just need to tell the ssh where to look
> for ssh agent socket. You can do that with env command that sets
> SSH_AUTH_SOCK like in:
>
> plink.exe -t %user@%proxyhost -agent "env
> SSH_AUTH_SOCK=<path-to-socket> ssh -p %port -l role %host"
>
> The default socket location is /tmp/ssh-XXXXXXXXXX/agent.<ppid>. For
> maximum convenience you may run the ssh-agent on bastion with -d
> option to specify the exact location of the socket like in:
>
> ssh-agent -b "$HOME/.ssh/agent-socket"
>
> and then set SSH_AUTH_SOCK in the above command to /home/user/.ssh/agent-socket
>
>
> On the other hand the setup like that implies that one can always
> connect to the target if he has the key to bastion. Moreover, anybody
> who can login to bastion under your user name can also recover the
> private key for the target via inspecting ssh-agent memory. So the
> setup above is less secure if you would simply have the key to the
> target on your local box properly password-protected and loaded into
> putty agent.
>
> Regards, Igor
>